Electronic Health Records wired for abuse

“Oops! They did it to Britney again.” No, it’s not a song parody, but a reflection of the poor state of American health privacy – something Bay Staters should think about as their Legislature considers a bill to mandate Electronic Health Records (EHRs).

Staff members at UCLA’s Medical Center are under investigation over allegations staffers accessed Britney Spears’ medical records earlier this year. Sadly, this is not the first time individuals other than the paparazzi violated Spears’ privacy; staffers also took inappropriate peeks when her first child was born.

Massachusetts residents should realize that they don’t have to be a celebrity to be subjected to such treatment.

EHRs are containers of very personal information. What you once told your doctors in confidence, perhaps to end up in his files, will now be accessible via the Internet, increasing access to hackers, nosy medical staff and businesses out to make a buck on the billion dollar health industry.

Patient privacy is threatened by human error and human nature. In addition, it is greatly compromised by our weak federal protections.

Most Americans think the Health Insurance Portability and Accountability Act (HIPAA) protects their privacy and that the HIPAA notice they sign at the doctor’s office lists all of their rights to privacy. In fact, that HIPAA notice lists the vast number of ways their private health information can be used, without asking and over objections.

HIPAA was originally intended to protect privacy. Regulators earlier in this decade rewrote the rule to sanction disclosure of medical information for treatment, payment or health care operations.

“Particularly troubling about HIPAA’s Privacy Rule is the governmental authorization for covered entities to use patients’ confidential information without their consent for health care operations that are unrelated to “payment or treatment,” writes Dr. Richard Sobel, senior research associate in the Program in Psychiatry and the Law at Harvard Medical School. Sobel explains that “health-care operations” can include using information for marketing purposes, which normally would require written consent.

Data-mining firms were given a gift by the rewriting of the HIPAA Privacy Rule. Data-mining firms can obtain information about your prescriptions, treatment for mental health and genetic predisposition to illnesses. That information can be passed on to credit firms, marketing firms and even prospective employers.

Combine a weak HIPAA law with Electronic Health Records without adequate privacy protections and you have a prescription for disaster and discrimination.

What measures should Massachusetts consider to ensure EHRs and Electronic Health Information Networks (EHIN) protect the confidentiality of their records?

One measure is to require audit trails so patients can know who is accessing their health records and for what purposes. That requirement should prevent the sneak peeks. Another is the right of patients to segment sensitive medical information. There is no reason why an ophthalmologist should be able to view psychiatric treatment records.

State lawmakers might take a look at U.S. Rep. Ed Markey’s (D-Malden) Technologies for Restoring Users’ Security and Trust Act. That includes provisions favored by patient privacy advocates and is premised on patients providing consent for others to see their health information in non-emergency situations.